Law firm exposure to cyber breach threats

​​What all attorneys should consider in an ever-changing world

With hackers
executing sophisticated data breaches on companies both big and small,
the need to protect your firm from the dangers of cybercrime is at an
all-time high. Is your practice protected?

The words “cyber,” “cyber breach,” “data breach” or “cyber terrorism” should resonate with the typical Ohio legal practitioner. The recent and highly publicized data breaches affecting Sony Pictures Entertainment (corporate network comprised), Target (40 million records), Adobe (2.9 million records), or Schnucks grocery store (2.4 million records) should cause attorneys to consider the security of their firms’ records and data. If you haven’t considered the risk these threats pose and taken the steps necessary to reduce that risk, your oversight may prove costly.

Even in Ohio, these breaches are occurring and causing harm to large and small businesses alike. A few examples include Shumsky Promotional Agency (Dayton, 1,400 records), Equity Trust Company (Westlake, 5,900 records), Benny’s Pizza (Marysville, unknown number of records), Buckeye Title Loans of California, LLC (Dublin, OH, unknown number of records), City of Akron (8,000 records), and Allen County IT Department (1,152 records).

The Online Trust Alliance (OTA), working with data obtained from the Open Security Foundation and the Privacy Rights Clearinghouse, has estimated that more than 740 million online records were exposed worldwide in 2013—the worst year for data breaches in history. According to many experts, the pace of reported data breaches has increased significantly over the last year, with roughly one-third of the reported breaches in 2013 targeting businesses, including law firms. The OTA concluded that of the roughly 500 reported data breaches in the first half of 2013, 89 percent were avoidable, with many businesses and organizations lacking even the most basic security controls. Although attorneys are in the business of helping their clients legally manage or respond to risk, when it comes to managing their own risk, particularly against a data breach, most are falling short.

The typical publicly reported breaches are those involving hacking, third-party subcontractors, transportation of data, insider/employee theft, and employee error or negligence. How do these risks relate to a law firm’s exposures to significant costs and potential liability for data breach?

Although you may believe your firm is unlikely to be the target of a hack, such thinking may be a recipe for disaster. Cyber criminals are constantly adapting, looking for easy targets and sources of potentially valuable data. What makes this data valuable? If the data can be successfully used to steal identities, then criminals will use it to commit fraud for days, weeks or months before the identity theft is detected. Additionally, the stolen data may be sold to other would-be criminals all over the world. As certain businesses make it harder for criminals to penetrate their respective computer systems and networks, the next line of potential targets are those businesses that keep lots of data containing personally identifiable information (PII), but that lack adequate protective security.

Personally identifiable information is information that can be used, directly or indirectly, or in combination with other information, to identify a particular individual. It includes:

A name, identifying number, symbol, or other identifier assigned to a person;

Any information that describes anything about a person;

Any information that indicates actions done by or to a person; and

Any information that indicates that a person possesses certain personal characteristics.

Some examples of personally identifiable information, as defined by RC 1347.01, are:

Names;

Social Security numbers;

Resumes;

Correspondence;

Addresses;

Phone numbers;

Driver’s license numbers;

State identification numbers;

Professional license numbers;

Financial account information;

Medical and health information;

Physical characteristics and other biometric information;

Tax information;

Education information;

Individuals’ job classifications and salary information;

Performance evaluations;

Employment applications; and

Timesheets.

As law firms act as warehouses of client and employee data, they should recognize they are not immune to cyber-attacks. Not only are they not immune, in many ways law firms are the perfect targets. Most, if not all, law firms possess some amount of the above-described personally identifiable information, and in many instances, vast amounts of such information, whether that of their clients, employees, or parties and witnesses in litigation. How is such information stored and protected by attorneys and their firms, particularly when they may maintain files for many years?

Although historically such information was kept in paper files (often non-securely), more and more of this information is now stored electronically. Where paper files are subject to physical theft or loss (fire, flood, etc.), or loss by improper disposal techniques (i.e., failure to shred before disposal), digital files add an entire new dimension to risk of data loss. A criminal seeking digital files can often access far more files, at a much faster pace, than if he or she were looking to steal physical files. This is not an endorsement of turning back the hands of time to return to red ropes and file cabinets full of paper files, but merely a reality check.

Perhaps it is difficult for some law firms to envision a hack of their computer systems by a complete outsider. However, this is not completely out of the realm of possibility, as experts believe that law firms are the perfect potential target given their relative lack of data security combined with a likely treasure trove of valuable information—including valuable client confidentialities and personally identifiable information. These hacks or intrusions take many different forms, including foreign and domestic criminal networks seeking easy means to steal valuable information. Additionally, think about the amount of spam a law firm’s spam filter blocks, or the amount of viruses, malware or worms (different forms of attacks) blocked by updated anti-virus software and firewalls. Some of the more sophisticated anti-virus software can produce reports reflecting the amount of attacks a computer system/network has sustained over a given period of time. The data produced by such reports can be a shocking revelation of the myriad of attempted hacks or intrusions into a law firm’s computer systems.

The most commonly reported cyber breach experienced by law firms is that related to the loss or theft of a laptop, thumb drive, smart phone, tablet or other mobile device. If the information on the device was not encrypted and contained or had access to files containing any of the personally identifiable information described above, a breach has likely occurred. These types of losses occur when laptops or mobile devices are stolen, usually in an office environment, or from a vehicle, or are “lost.” With access to office email and other law office networks, such theft can be an open door for cyber criminals to gain access to and steal confidential information in a relative blink of the eye.

Employee theft is also a significant risk within the law firm environment. Whether it is the theft of a laptop as described above, theft of the actual data itself, or theft of user identifications and passwords, such can occur and often go undetected for a lengthy period of time. Such conduct can originate with an employee, or can originate through outside parties who “influence” an employee in a compromised position (for various reasons). Often by the time such conduct is discovered, the stolen data has made its way to third parties for various nefarious purposes, usually including identity theft.

Besides the common law duty owed by attorneys to protect the confidential information entrusted to them by clients, two additional sources of duties are imposed on attorneys to protect data: the Rules of Professional Conduct, and federal and state law. Rule 1.6 of the Ohio Rules of Professional Conduct requires an attorney to maintain the confidentiality of information relating to representation of a client, and Rule 1.9 requires the same for information of former clients. Rule 1.15 of the Rules of Professional Conduct requires that an attorney safeguard property of a client in his or her possession—a fiduciary obligation.

In addition to the traditional obligations imposed on the legal profession, most states and U.S. territories have enacted data security breach notification laws. Ohio’s notification law, R.C. 1349.19, applies to personally identifiable information of Ohio residents. It defines a “breach” as unauthorized access to and acquisition of unencrypted computerized data that compromises the security or confidentiality of personal information owned or licensed by a person and that results in, or is reasonably believed to cause a material risk of, identity theft or fraud to the person or property of an Ohio resident. The law applies to any individual or business conducting business in Ohio and owning or licensing computerized data that includes personal information about an Ohio resident, or that stores computerized personal information of Ohio residents maintained by any state agency or political subdivision. For purposes of R.C. 1349.19, “personal information” is confined to an individual’s first name (i.e., or first initial) and last name, in combination with and linked to any one or more of the following: Social Security number, driver’s license number or state identification number, account number or credit or debit card number (in combination with and linked to any required security code, access code, or password that would permit access to an individual’s financial account).

Pursuant to this law, a breach of security of the person’s or business’ data system must be disclosed to any resident of Ohio whose personal information was, or reasonably is believed to have been, accessed and acquired by an unauthorized person, if the access and acquisition by the unauthorized person causes, or reasonably is believed will cause, a material risk of identity theft or other fraud to the resident. Disclosure is required to be made in the most expedient time possible, but no later than 45 days following its discovery or notification of the breach of the system, subject to the legitimate needs of law enforcement activities. Failure to comply with this notice requirement is subject to investigation and a potential civil action brought by the Attorney General.

Most states have similar laws pertaining to “personal information” of their respective residents, so a similar duty is likely owed to those non-Ohio residents whose data may be compromised in a data breach. Law firms that may have personally identifiable information for clients (or any other person) in other states also need to be aware that not all states define “personal information” as narrowly as does Ohio. Firms with potential exposure to individuals residing in other states, or who provide services to clients in other states, should review the privacy laws in those states for further guidance regarding what information is regarded as personal information.

Total breach costs nationally and internationally have grown every year since 2006, with breach costs of U.S. companies in 2013 approaching $200 per exposed record. The types of costs associated with a data breach can be many, beginning with the expenses associated with hiring a computer forensics expert to determine how much information was compromised, and most importantly, whose information was disclosed. This cost can range from a few thousand dollars to tens or even hundreds of thousands of dollars, depending on the breadth of the breach. Another typical cost is that associated with compliance with the notice requirements of the state(s) of residence for those persons whose information was disclosed, and depends largely on the number of records disclosed. This cost will also vary based on whether the notice can be sent electronically, whether it must be mailed, whether additional costs need be incurred to locate the persons whose information has been disclosed, and whether alternative notice or publication is necessary.

Once a breach is discovered, additional costs are often needed to repair any damage to the systems themselves, to replace or restore software or data records that might be damaged or corrupted, and to block further access to the criminal(s) who obtained the personal information. These out-of-pocket costs do not include the potential damage to reputation caused by a breach, often occurring as a loss of trust of clients who entrusted their confidential information to the law firm. Most law firms will also experience some form of business interruption as a result of a data breach, as many hours will be devoted to investigating, responding to and repairing the breach. Finally, if clients sustain damage as a result of the data breach, such as damage to their credit resulting from identity theft or loss of funds from financial accounts, they may articulate a claim for negligence or malpractice.

Law firms can take various steps to limit their risks to cyber breaches, with the most obvious being to insure against such a loss. Although a client’s claim for cyber breach-related damages based on negligence or malpractice may be covered under some legal professional liability insurance policies, most often “first party-related costs/damages” are not. Such first party costs/damages can include most of those mentioned above: business interruption, privacy breach response costs, notification expenses, breach support and credit monitoring expenses, damage to data and computer programs, cyber extortion expenses, computer forensic and investigation fees, public relations expenses, legal expenses, etc.

Nine steps to prevent a security breach

In addition to obtaining insurance protection against a loss, law firms can and should take the following steps to help prevent a security breach.

Develop a comprehensive information security plan designed to prevent data breaches. A great resource is the ABA Cybersecurity Handbook.

Conduct a risk assessment, which often can be aided by the services of knowledgeable, objective, independent IT vendors.

Use appropriate encryption technology on servers, desktops, laptops and all mobile devices.

Limit access to computer systems, email and directories only to known and trusted users, and implement and follow appropriate password policies.

Develop and follow a data retention and destruction policy, so that personal data is not at risk. It is important to sanitize and eliminate personal information that is no longer needed, and frankly, to avoid collecting personal data that is not essential. Law firms should carefully analyze where such data is kept, and limit the number of places where such data is retained.

Educate employees about appropriate handling and protection of sensitive data and use and protection of passwords.

Implement and follow a written Internet security protocol (WISP) to explain in detail how Internet access and usage should be conducted on firm computers, and specifically, the limits on such usage. Not only is this employee education process important, but management of this exposure should also continue through employee exit strategies, realizing that unhappy former employees pose a significant risk for a potential data breach.

Finally, develop a comprehensive breach preparedness plan, to enable decisive action and avoid operational paralysis when a data breach occurs. This will allow a firm to timely respond to a breach incident, perhaps limiting the scope of the breach and potential damages to those whose information has already been compromised, as well as limiting the amount of lost productivity and negative publicity that might result from a data breach.

With careful thought and planning, law firms can significantly lower their exposure to a potential data breach and have a road map in place when and if such event occurs.